Cookie Policy
This Cookie Policy explains what cookies and similar storage NovaHunt uses, why each one exists, and how to opt out where you can.
The short version: NovaHunt uses only the cookies it needs to sign you in and to recover from errors. We do not run advertising cookies. We do not run analytics cookies. We do not embed third-party tracking pixels. There is no cross-site profile of you built from your activity on NovaHunt.
1. What is a cookie
A cookie is a small text file a website stores in your browser so it can recognise you on later visits. "Similar storage" includes localStorage and sessionStorage (browser-side key/value stores). We treat both the same way in this policy.
2. The full list of cookies NovaHunt sets
| Name | Purpose | Type | Sender | Lifetime |
|---|---|---|---|---|
authjs.session-token (or __Secure-authjs.session-token on HTTPS) | Holds your Auth.js session reference so you stay signed in across page loads. Without it the app cannot tell who you are. | Strictly necessary | NovaHunt (first-party) | 30 days, or until you sign out |
authjs.csrf-token (or __Host-authjs.csrf-token) | Cross-Site Request Forgery protection for sign-in and POST requests. Auth.js requires it. | Strictly necessary | NovaHunt (first-party) | Session |
authjs.callback-url | Remembers where to return you after a successful magic-link sign-in. | Strictly necessary | NovaHunt (first-party) | Session |
sentry-trace / baggage (only set when error monitoring is enabled and an error occurs) | Correlates a frontend error to its backend trace so we can debug crashes. Contains a random trace ID — no email, no resume, no profile content. | Functional | NovaHunt (first-party), forwarded to Sentry | 1 hour, error-scoped |
That is the complete list. We do not set:
- Advertising or retargeting cookies.
- Google Analytics, Plausible, Mixpanel, Amplitude, or any other product-analytics cookie.
- Social-network share / like-button cookies (we do not embed those widgets).
- Affiliate or referral-tracking cookies.
If you ever find a cookie set by trynovahunt.com that is not in the table above, treat it as a bug and email privacy@trynovahunt.com.
3. Strictly necessary vs functional
Under the EU ePrivacy Directive (and the UK PECR), consent is required for cookies that are not strictly necessary to provide a service the user has explicitly requested. The Auth.js cookies in the table above are strictly necessary — without them you literally cannot log in, which is the service you requested by signing up.
The Sentry trace cookie is functional rather than strictly necessary. We classify it that way because the service would still work without it; you would just get worse bug-fix turnaround when something breaks. We give you a switch for it (see opt-out below). The Sentry cookie only appears when error monitoring is turned on at the deployment level (NEXT_PUBLIC_SENTRY_DSN is set); for local development and any deployment without a Sentry DSN, it is not set at all.
4. Why we do not show a "cookie wall" banner
The EU and UK rules require consent for non-essential cookies. They do not require a banner for cookies that are strictly necessary to deliver a service the user requested. Because the only always-on cookies on NovaHunt are the Auth.js session and CSRF cookies — both strictly necessary to sign you in — we do not block the site behind a consent wall. This matches the position of the EDPB (Guidelines 03/2022) and the UK ICO.
If we ever add a non-essential cookie that is on by default, we will add a banner with a real opt-in and update this page first.
5. How to opt out
For the Sentry functional cookie: in your account settings, toggle "Send anonymous error reports to help us debug" off. The cookie will not be set on subsequent loads, and any in-flight Sentry traces are dropped.
For all cookies, including the strictly necessary ones: your browser lets you delete cookies and block them. Doing so for the Auth.js cookies will sign you out and prevent you from signing back in until you re-enable them. Browser instructions:
- Chrome: Settings → Privacy and security → Cookies and other site data
- Firefox: Settings → Privacy & Security → Cookies and Site Data
- Safari: Preferences → Privacy → Manage Website Data
- Edge: Settings → Cookies and site permissions → Cookies and site data
You can also block all third-party cookies, but since NovaHunt does not set any third-party cookies, this has no effect on our service.
6. "Do Not Track" and Global Privacy Control
We honour the Global Privacy Control (GPC) signal. If your browser sends Sec-GPC: 1, we treat that as an opt-out from non-essential cookies, including the Sentry functional cookie. Legacy DNT: 1 is also treated as an opt-out.
7. Changes to this policy
If we add, remove, or change a cookie, we will update the table in section 2 and revise the date below. Material changes are also announced in the daily briefing email.
8. Contact
Questions about cookies should go to privacy@trynovahunt.com.
Last updated: 2026-05-19
Contact: legal@trynovahunt.com
Questions? Email legal@trynovahunt.com.